Computer  Science  Department 


TECHNICAL  REPORT 


A  Time-Independent  Deflnition  of  Software  Reliability 


Stewart  N.  Weiss  and  Elaine  J.  Weyuker 


NYU  COMPSCI  146  c.2     ^ 
Weiss,  Stewart  N 

A  time-independent 
definition  of 

Technical  Report  #146 
January  1985 


NEW  YORK  UNIVERSITY 


'epartment  of  Computer  Science 

Courant  Institute  of  Mathematical  Sciences 

251  MERCER  STREET,  NEW  YORK,  N.Y.  10012 


■^.■^r-  *^7«-  '^TTT^^^ 


I 


A  Time-Independent  Definition  of  Software  Reliability 

Stewart  N.  Weiss  and  Elaine  J.  Weyuker 

Technical  Report  #145 
January  1985 


ABSTRACT 

A  definition  of  software  reliability  is  proposed  in  which  reliability  is  treated 
as  a  generalization  of  the  probability  of  correctness  of  the  software  in  question. 
The  definition  is  parametrized  by  the  distribution  characterizing  the  operational 
environment.  It  is  shown  that  the  definition  can  be  used  to  provide  many  natural 
models  of  reliability  by  varying  an  integer  parameter,  and  that  it  may  be 
approximated  reasonably  using  well-chosen  test  sets.  It  is  proved  that,  under 
fairly  weak  conditions,  one  can  not  hope  to  measure  reliability  exactly  by  using 
finite  test  sets. 


Index  Terms  -    Software  reliability,  operational  distribution,  input  domain  based  /^      C- _ 

model. 


:a  .[■ 


■  T": :  jr. 


.::    OS 


3fa: 


i.nsaoi 


'<- 


A  Time-Independent  Definition  of  Software  Reliability 

Stewart  N.  Weiss  and  Elaine  J.  Weyuker 

Introduction 

Software  reliability  has  been  described  as  "a  metric  which  is  the  probability  of 
operational  success  of  the  software"[17].  Because  the  measurement  of  software  reliability  is 
in  principle  the  modelling  of  a  deterministic  process  by  a  probabilistic  one,  the  problem  arises 
as  to  how  to  model  the  uncertainty  of  the  ultimate  outcome.  When  the  random  variable  is 
chosen  to  be  time,  we  refer  to  the  implicit  definition  of  reliability  as  time-dependent.  When 
the  random  variable  is  otherwise  defined,  we  will  say  the  definition  is  time-independent. 

Most  time-dependent  definitions  of  program  reliability  express  the  idea  that  the 
reliability  of  a  progrEun  is  the  probability  that  a  software  error  which  causes  a  discrepancy 
from  specified  requirements,  by  more  than  specified  tolerances,  in  a  specified  environment 
does  not  lead  to  a  failure  during  a  specified  exposure  period  [1,5,7,10,12,17,18].  Time- 
independent  definitions  attempt  to  capture  the  idea  that  the  reliability  of  a  program  is  the 
probability  that  an  arbitrary  rim  of  the  program  will  produce  the  specified  results  [2]. 

Time-dependent  definitions  provide  a  straightforward  approach  to  measuring  reliability; 
the  indices  most  commonly  derived  in  such  an  approach  include  the  mean  time  to  failure, 
number  of  remaining  errors,  and  probability  of  failure  in  a  time  interval  [0,t].  While  these 
indices  are  relatively  easy  to  compute  in  many  cases,  there  is  one  major  weakness  in  their 
uses  as  measures  of  reliability  :  a  piece  of  software  is  neither  more  nor  less  dependable  today 
than  it  was  yesterday  if  neither  it  nor  its  intended  use  nor  its  operational  environment  has 
changed.  Perhaps  our  confidence  in  it  has  changed,  but  not  its  inherent  reliability. 
However,  the  reliability  indices  described  above  frequently  change  with  the  passing  of  time 
or  the  discovery  of  errors  in  the  software. 

Although  there  has  been  a  great  deal  of  debate  as  to  which  among  the  time  based 
models  is  the  most  reasonable  [6,11,13,15,16],  there  has  been  little  theoretical  justification  of 
their  validity.  Historically,  these  models  have  been  judged  in  part  on  statistical  analysis, 
empirical  results,  and  ease  of  use.  Recently,  lannino  et  al  [9]  proposed  a  set  of  criteria  by 
which  to  judge  software  reliability  models,  particxilarly  the  time-dependent  ones,  and 
recommended  that  these  criteria  be  used  to  compare  and  assess  these  models.  This  is  an 
important  step  towards  providing  a  firm  basis  for  the  use  of  these  models. 

We  consider  here  the  time-independent  aspects  of  reliability,  and,  imlike  time-based 
models,  our  model  treats  the  operational  input  as  its  random  variable.    We  believe  that  the 


This  research  was  supported  in  part  by  the  National  Science  Foundation  under  grant  MCS-82-01167. 


-2- 

reliability  of  software  is  not  a  measure  of  our  confidence  in  it,  but  rather  a  measure  of  its 
trustworthiness  for  the  job  it  is  intended  to  do.  As  such,  we  believe  that  any  reasonable 
definition  should  incorporate  : 

1)  measurement  of  likelihood,  and 

2)  measurement   of   the   discrepancy   between   actual   program   behavior   and   intended 
program  behavior,   and  ^  ^ 

3)  parametrization  of  the  external  environment  influencing^ program  behavior. 

We  therefore  construct  a  family  of  metrics  to  achieve  (2).  The  metrics  in  this  family 
differ  in  the  extent  to  which  they  consider  imponant  the  magnitudes  of  program 
discrepancies.  We  then  show  that  by  an  appropriate  choice  of  parameter  we  can  find  a 
metric  in  this  family  to  model  suitably  a  given  notion  of  distance.  Finally,  we  use  the 
operational  distribution  to  transform  the  metric  spaces  created  into  probability  spaces, 
thereby  achieving  both  (1)  and  (3).  We  show  that  the  definitions  model  reliability  in  a 
natural  way.  In  addition,  we  show  that  using  finite  test  sets  to  estimate  software  reliability 
cannot  in  general  yield  exact  reliability  based  on  this  definition. 


Preliminaries 

The  domain  of  a  program  P  is  the  set  of  all  input  values  for  which  the  execution  of  P 
terminates.  Without  loss  of  generality,  input  and  output  values  are  restricted  to  N,  the  non- 
negative  integers,  and  hence  both  the  domain  and  the  range  of  a  program  are  subsets  of  N. 
It  is  well-known  [5]  that  this  model  of  computation  is  equivalent  to  one  in  which  the  objects 
of  computation  are  finite-length  strings  over  a  fixed  finite  alphabet. 

It  is  assumed  that  all  programs  are  written  in  some  fixed,  but  unspecified,  programming 
language,  C,  which  is  powerful  enough  to  compute  amy  partially  computable  function.  We 
write  <t>  =  {(}),}  to  be  an  enumeration  of  all  of  the  legal  programs  in  C 

We  sometimes  abuse  the  distinction  between  a  program  P  and  the  partially  computable 
function  it  computes.  If  program  P  halts  on  input  n,  we  write  P(n)i;  if  not,  we  write  P(n)t. 
We  write  P(n)  to  mean  the  output  of  P  on  input  n,  if  P(n)i;  otherwise,  we  denote  the  result 
by  ".  We  extend  N  by  the  inclusion  of  the  "point"  <»,  and  we  write  N'  =  N  U  {«>}.  We 
endow  N*  with  the  usual  ordering  and  arithmetic  properties,  i.e.,  (Vn  €  N)(n  <  «)  and 
n  4-  00  =  00,  etc. 

We  write  P(n)  =  Q(n)  if  either  [P(n)i  a  Q(n)i  A  P(n)  =  Q(n)]  or  [  P(n)T  a  Q(n)t  ]. 
Two  programs  P  and  Q  are  equivalent,   denoted  P  =  Q,  if  (Vn  6  N)(P(n)  =    Q(n)). 

There  remains  the  problem  of  defining  a  specification  S  of  a  program.    A  specification 
is  supposed  to  prescribe  the  output  of  the  program  for  each  input.  However,  three  cases  can 
arise  for  a  given  input  n  : 
1)      no  output  is  specified. 


-3- 

2)  exactly  one  output  is  specified. 

3)  more  than  one  output  is  specified. 

We  take  the  position  that  if  case  (1)  occurs  for  a  given  input  n,  then  that  input  is  not  an 
illegal  value,  but  a  "don't  care";  such  inputs  are  outside  the  sphere  of  interest  of  the 
specification.  We  collect  all  such  n  into  the  set  U  =  {  n  |  S  is  unspecified  at  n  }.  If  P  is  some 
program  and  n  €  U,  we  define  P(ii)  to  be  a  correct  value  for  S(n).  Note  that  we  do  not  say 
P(n)  =  S(n),  since  the  transitivity  cJ  "="  does  not  hold.  Illegal  inputs  are  considered  to 
produce  some  specified  error  mess.H|e  and  hence  some  defined  value.  In  the  sequel  we  use 
P  and  Q  to  denote  programs  and  S  to  dr  iotr  a  program  specification. 

Although  it  is  certainly  possible  that  a  jpecification  defines  any  of  a  class  of  outputs  to 
be  acceptable,  we  require  that  for  a  given  input,  either  case  (1)  or  (2)  holds  and,  that  given 
any  input,  we  can  effectively  decide  which  case  does  hold. 

With  the  above  understandings,  a  specification  S  is  a  partial  function  over  N,  with 
computable  domain  D  =  N  -  U.  Our  stronger  assumption  is  that  S  defines  a  partially 
computable  function  over  N,  and  we  henceforth  identify  S  with  that  function. 

Suppose  we  have  a  specification  S  with  domain  D,  intended  for  use  in  a  given 
application  "envirorunent".  Each  element  n  C  N  has  an  associated  probability,  say  p(n),  of 
being  used  as  an  input  to  the  implementation  in  this  environment,  and  this  probability  is  not 
necessarily  dependent  on  membership  m  D.  In  the  literature,  this  probability  distribution  has 
been  called  the  operational  profile  of  the  software  [5].  Each  particular  environment  defines 
some  such  underlying  distribution  of  N,  and  we  assume  here  that  the  distribution  is 
independent  of  the  implementation  program  (which  may  not  always  be  the  case.) 

A  specification  S  might  be  implemented  in  more  than  one  "environment",  and  so  there 
may  be  several  distributions  associated  with  S.  If  we  have  a  program  intended  to  implement 
specification  S,  it  thus  makes  sense  to  speak  of  the  reliability  of  the  program  with  respect  to 
both  S  and  the  operational  distribution  of  the  actual  environment  in  which  the  program  is 
used.  It  seems  reasonable  to  us  to  incorporate  this  distribution  into  the  measure  of  reliability 
in  a  definite  way.  We  will  generally  use  p  to  denote  the  probability  function  defining  the 
operational  distribution. 

The  fact  that  we  may  not  have  knowledge  of  a  particular  distribution  does  not  imply 
that  it  does  not  exist.  In  cases  when  no  information  is  available,  p  would  normally  be  chosen 
to  be  a  uniform  distribution.  But  any  available  information  should  be  used  to  tailor  the 
measurement  of  reliability  to  the  actual  environment.  It  is  this  thought,  together  with  the 
preceding  discussion,  that  moves  us  to  make  the  following  : 

Assertion  :  To  each  specification  S  and  environment  in  which  S  is  implemented,  there  is  a 
unique  probability  function  p,  such  that  for  each  n  €  N,  /7(n)  is  the  likelihood  that  n  is  used 
as  an  input  to  the  implementation  of  the  specification  in  that  environment. 


-4- 

We  emphasize  that  we  are  not  claiming  here  that  p  is  computable;  we  consider  the 
question  of  computability  later.  The  intention  here  is  to  use  the  distribution  as  a  parameter 
of  the  measure  of  the  reliability  of  a  program.  To  do  so  we  incorporate  p  into  our  definition 
of  a  family  of  metrics  defined  on  the  set  of  equivalence  classes  of  4>  with  respect  to  an 
equivalence  we  defme  below. 

Given  a  distribution/?,  we  call  a  value  n  i  H possible  with  respect  to p,  or p-possible,  if 
p(n)  >  0.  If  no  confusion  can  arise,  we  simply  call  n  possible.  Given  two  programs  P  and 
Q,  we  will  say  that  P  and  Q  are  equivalent  with  respect  to p,  oi  p -equivalent,  denoted  P  =  Q, 
if  (Vn  €  N)  (  (p(n)  >  0)  a  (P(n)  =  Q(n))  ).  In  other'words,  P  and  Q  are  p-equivalent  if 
they  agree  on  all  p-possible  inputs.  It  follows  immediately  from  the  definitions  that  P  ^  Q  if 
and  only  if  for  all  distributions  p ,  P  =  Q. 

Definition:  We  call  two  programs  P  and  Q    p-compatible,  and  we  write  P  -  Q,  if 
(Vn  e  N)  ((p(n)  >  0)   =^  (P(n).  c^  Q(n). )  ). 

Note  that  p-compatibilit>'  is  an  equivalence  relation  on  the  set  4>,  the  enumeration  of  all  legal 
programs  in  £. 


The  Definition  and  its  Properties 

Suppose  that  P  and  Q  are  programs  in  ^  which  halt  on  all  inputs  in  N.  A  natural  way  to 
measure  the  discrepanc>-  between  P  and  Q  on  input  n  is  I  PCn)  -  Q(n)  I ,  the  usual  Euclidean 
distance.  However,  if  either  P  or  Q  diverges  on  input  n  then  this  distance  function  is 
undefined.  Qearly,  we  would  like  a  metric  on  the  output  space  (N*)  of  programs  in  £. 
having  the  property'  that  it  is  always  defined,  even  when  one  of  its  arguments  is  undefined 
(w).  Futhermore,  there  are  times  when  our  only  concern  in  comparing  P(nj  and  Q(n)  is 
whether  or  not  they  are  equal.  This  amounts  to  using  a  binary  valued  metric  on  N*.  In  short, 
it  is  useful  to  have  a  family  of  metrics  that  is  large  enough  to  charaaerize  many  different 
notions  of  distance.  For  the  above  reasons  we  make  the  following  : 
Definition;   Let  a  €  N,   a  s  1.  For  any  n  6  N,  and  any  programs  P  and  Q  we  write 


\P{n),Q{n)\,= 


min{a,\P{n)-Q{n)\)    U P(n).  A  Q(n)- 
0  ifP(nyrQ(n)- 

a  otherwise 


We  shall  call  this  the  a-discrepancy  between  P  and  Q  at  n.    When  a  =  1,  the  definition 
reduces  to 


\Pin),Q(n)\-^  = 


0  UP(n)  =    Q(n) 

1  otherwise 


This  is  the  usual  "binary"  interpretation  of  the  correctness  of  one  computation  with  respect  to 
another.    When  a  is  verv'  large,  the  definition  approximates  the  Euclidean  distance  defined 


-5- 

ontheset{P(n)|n  €  N  a  P  6  *  }. 

Definition:  Letp  define  a  distribution  of  N.   Define  5^  :  O  x  O  -.  [0,a]  by 

8^a(/',e)=ip(n)l/'(n),e(n)L 

For  programs  P  and  Q,  8^(P,0)  ii  the  expected  value  of  the  o-discrepanc\'  with  respect 
to  the  distribution  of  the  input  dctaaia  defined  by  p.  If  Q  ii  ^  program  specification  and  P, 
an  intended  implementation  of  Q,  then  S{[(P,Q)  should  b:  'Jicught  of  as  an  approximation  to 
the  expected  "error"  in  P.  'V^'hen  a  =  1,  'I'is  corresponds  to  the  probability,  with  respect  to 
the  operational  distribution,  of  that  subset  of  N  on  whid.  ?  and  Q  differ.  'V^'hen  a  is  very 
large,  it  is  more  like  an  average  discrepancy  between  P  and  Q,  weighted  by  the  operational 
profile. 

Definition:  Let  X  be  any  set  and  let  x,  y  be  elements  of  X.  A  function  d  :  X  x  X  -  R,  the 
real  numbers,  is  called  a  metric  on  the  sot  X  if 

(a)  d(x,y)  >  0  if  X  ^  y;  d(x,x)  =  0 

(b)  d(x,y)  =  d(y,x) 

(c)  d(x,y)  <  d(x,z)  +  d(z,y)   for  all  z  €  X. 
It  is  straightforward  to  show 

Theorem  1:  For  any  a  &  1  and  any  p.  S^  is  a  metric  on  the  set  of  equivalence  classes  of  <t> 
with  respect  to  p. 

We  next  consider  the  following  questions: 

(1)  How  does  the  choice  of  a  effect  the  meaning  of  the  metric  ? 

(2)  Does  this  family  of  metrics  enable  us  to  characterize  different  notions  of  proximity  of 
partially  computable  functions? 

As  a  consequence  of  Theorem  1,  for  any  partially  computable  functions  P  and  Q  and 
any  a-  >  1  and  a-  >  1,  bl{P,Q)  =  0  <=>  bl{P,Q)  =  0.    In  other  words,  "identity"  is  invariant 

with  respect  to  the  choice  of  a.  Another  way  to  \'iew  this  is  that  the  number  of  distina 
points  in  the  metric  space  of  Theorem  1  is  independent  of  the  choice  of  a.  We  can  further 
show  that  : 


-6- 

Lemma  2:  If  P  and  Q  are  partially  computable  functions,  there  is  a  number  M  such  that  for 

all  a  ^  M, 

8S(/',G)=8^(^.e) 

if  and  only  if 

(1)  (Vn)  [  [P(n)i  «  Q(n)i]  v  p(n)  =  0  ]  and 

(2)  (3K)  (Vn)[  [  P(n)i  a  Q(n)i  =>  |P(n)  -  Q(n)  |  ^  K  ]    v    [p(n)  =  0]  ] 

The  usefulness  of  this  lemma  is  that  it  shows  that  whenever  two  programs  are  defined 
on  the  SEirae  domain  and  the  difference  between  the  values  produced  as  a  result  of  their 
halting  computations  on  all  inputs  is  bounded,  then  for  sufficiently  large  a,  the  choice  of  a 
does  not  effect  the  distance  between  them  as  measured  under  the  8^-metric.  We  note  here 
that  in  any  fixed  programming  environment,  condition  (2)  always  holds,  so  that  whenever 
condition  (1)  holds  also,  such  M  exists^  and  would  be  a  natural  choice  to  use  as  an  upper 
bound  for  a  in  this  situation. 

In  many  situations,  we  consider  any  deviation  of  the  program's  output  from  the 
specified  output  as  an  error.  In  such  cases,  a  =  1  models  our  intuitive  notion  of  the 
discrepancy.  However,  for  other  situations,  we  are  willing  to  tolerate  "small"  discrepancies  of 
the  output  with  respect  to  its  specification,  and  thus  we  measure  the  reliability  of  the  program 
based  on  the  overall  effect  of  these  discrepancies.  Such  might  be  the  case  with  approximation 
algorithms.  In  these  cases,  a  large  value  of  a,  say  a  =  2'^,  where  M  is  the  word  size  of  the 
machine,  would  model  this  notion  reasonably. 

The  intuitive  definition  of  the  reliability  of  a  program  with  respect  to  a  specification  S  in 
a  given  environment  is  that  it  is  the  probability  that  on  an  arbitrary  input  n,  P  will  yield  the 
same  result  as  S.  This  is  essentially  how  Brown  and  Lipow,  for  example,  define  software 
reliability  in  [2],  and  we  formalize  it  in  the  following 

Definition:  Let  S  be  a  specification  with  domain  D  and  let  P  be  a  program  intended  to 
compute  the  function  S.  Then,  if  p  is  a  probability  function  characterizing  the  domain  of  P, 
we  define  the  reliability  of  P  with  respect  to  S,  denoted  R[p,S](P): 


f   Sin)    if  n6D 
R[p,S]{P)  =  l-mP,Sp)   where    Sp(n)  =  |  p^^^     -^  ^^^ 


Intuitively,  this  is  the  probability  of  correctness  with  respect  to  the  distribution  of  the  input 
domain.    We  need  to  compare  P  to  S    because  we   "don't  care"   about  n  C  U.    An  example 

will  demonstrate  : 

Example  1 

Let  M  be  the  word  size  of  a  given  machine  and  let  p  be  given  by 


r  2-'^^    if  0  <  n  <  2'^ 
'('»)-    I  0         otherwise 


i.e.,  the  inputs  are  uniformly  distributed  over  the  range  of  representable  natural  numbers. 
Let  S  specify  the  following  function: 


_    (  n    if  2'^-^:S  n  <  2'^ 
^  '        1    0    otherwise 


Let  P  be  written  to  compute 

P(n)  = 
and  suppose  another  program  Q  has  been  written  to  compute 


f  n-1    if  2'^-^<  n  <  1^ 
0  otherwise 


n    if  2''^-^<  n  <  2'^^ 


r  n     if2'^^-^< 
^^  ^        1    0    otherwise 


Thus,  P  differs  from  S  by  a  "small"  amount  for  many  inputs,  while  Q  differs  from  S  at  only 
one  point,  but  by  a  "large"  amount. 

Then,  by  the  definition, 


R[p,S]iP)   =    1   -    -^-S'l    =    I 


2-^   2--'  2 

J- 

R{p,S]iQ)  =1-^  ••^'- 

Using  this  measure  of  reliability,  P  is  deemed  highly  unreliable  because  it  produces  the 
wrong  answer  at  half  of  the  equally  likely  possible  inputs.  In  contrast  to  this,  Q  would  be 
considered  much  more  reliable  by  this  measure  since  it  is  correct  at  all  but  1  of  these  2'^ 
possible  inputs. 

We  now  use  the  parameter  a  to  generalize  the  above  definition: 

Definition  :  With  S,  P,  D,  p,  and  S  as  above,  we  define,  for  each  a  ^  1,  the  a-reliability  of 
P  with  respect  to  S,  denoted  R[a,p,S](P): 

R[oL,p  ,S\{P)  =  \ 

oc 

The  a-reliability  of  P  with  respect  to  S  corresponds  to  the  expected  value  of  the  a- 
discrepancy  between  P  and  S  with  respect  to  the  input  distribution  defined  by  p.  As  a 
increases  we  weight  the  effect  of  an  error  by  the  amoimt  of  discrepancy.  Thus,  one  is 
penalized  "only  a  little"  for  small  discrepancies  (relative  to  a).  Note  that  the  maximum 
penalty  for  an  error  on  input  n  with  this  generalized  definition  is  still  p(n),  which  occurs 
when  \P{n),Sp{n)\g^  =  a.  We  should  expect  that  with  such  relaxed  standards,  programs 
should  be  perceived  as  more  "reliable"  since  we  are  considering  fewer  errors  "important". 
The  next  lemma  demonstrates  that  this  is,  in  fact,  the  case. 

Lemma  3:  For  given  program  P,  distribution  p,  and  specification  S  with  domain  D,  if 
1  5  a  <  3  \henR[a,p,S](P)  <  R[^,p,S](P). 


-8- 

Thus,  the  reliability  function  is  a  non-decreasing  function  of  the  parameter  a,  when  P 
and  S  remain  fixed.  As  a  -  «,  however,  the  reliability  of  an  arbitrary  program  does  not 
necessarily  approach  1;  it  is  not  difficult  to  show  that : 

Theorem  4:  If  S  is  a  specification  with  domain  D,  P  is  a  program,  and  p  is  a  probability 
function,  and  if  £>2  =  {  n  I  [  P(n)i  a  S/,(n)t  ]   v   [  P(n)t  a  Sp{n)i  ]  }  then 

\imR[a,p,S]iP)    =l-p{D2). 

a-x 

The  proof  is  a  straightforward  application  of  the  definitions. 

If  P  is  a  program  which  is  p-compatible  with  S  ,  then,  with  /?2  ^^  defined  in  Theorem  4, 
p(Z?2)  =  0.  The  theorem  shows  that,  in  this  case,  the  reliability  of  P  converges  to  1  as  a  -  ». 
This  is,  of  course,  consistent  with  our  intuition.  As  a  -  <»,  the  only  errors  which  are 
"important"  are  those  inputs  for  which  the  program  or  specification  halts  while  the  other  does 
not.  If  there  are  no  such  p-possible  inputs,  (p(£>2)  ~  0)  ^^^  ^^  program  is  "highly  reliable" 
as  it  does  not  contain  any  errors  in  the  designated  set.  More  generally,  it  shows  that  the 
reliabilities  of  all  programs  in  a  given  p-compatible  equivalence  class  converge  to  the  same 
point  in  the  interval  [0,1]  as  a  -» ».  This  behavior  makes  it  difficult  to  compare  reliabilities 
obtained  with  different  values  of  a. 

We  return  to  Example  1,  to  illustrate  the  role  of  a  in  the  generalized  notion  of 
reliability. 

Example  2 

Let  S,  p,  P,  and  Q  be  those  of  Example  1,  and  consider  the  generalized  reliability  functions 
of  P  and  Q: 

R[a,p,S](P)   =    1    -    -^   •    2'  1    =    1  -  (2a)-^ 


2'^a 


r  1  -  2-'^         if  a   <   2^-^ 
R[a,p,S]iQ)   =    I  i-(2a)-i    if  a   ^   2'^ "  ^ 


When  a  =  1,  R[a,p,S](P)  simply  measures  the  frequency  of  error,  relative  to  the  input 
distribution.  As  a  grows,  the  magnitudes  of  the  errors  play  an  increasingly  important  role. 
Notice  that  in  this  example,  the  total  discrepancies  of  both  P  and  Q  are  the  same,  2'^"^. 
When  a  is  less  than  this  number,  the  reliability  of  P  is  measured  to  be  less  than  that  of  Q. 
When  a  is  greater  than  or  equal  to  this  number,  the  two  programs  have  the  same  measure  of 
reliability,   o 

Example  3 

The  required  program  must  compute  the  function 


Sin)  =  trunc]  lOOOOOexp 


1000 


for  all  n  in  the  range  [0,  9999],  where  exp(x)  is  defined,  for  all  rational  x,  by  its  infinite 
expansion,    2  TT-  Since  the  specification  requires  no  more  than  five  decimal  places  of 


i-O 


it! 


precision  in  the  decimal  expansion  of  exp(n/1000),  S(n)  is  both  well-defined  and  computable. 
Program  P  performs  the  calculation  using  the  algorithm 


Pin)  =  trunc 


100000-2.7183  iooo 


Program  Q  performs  the  calculation  using  the  algorithm    ., 

8  I 


C(n)  =  trunc 


100000- y ^ 

i-o  1000* -it! 


Our  objective  is  to  assign  a  measuje  of  accuracy  to  each  of  the  two  methods  of 
performing  the  calculation  under  the  imiform  distribution  on  the  integer  interval  [0,9999].  To 
this  end,  we  select  a  set  of  50  test  points,  T  =  {0,  200,  400,  ...,9800},  and  we  assume  that  the 
computations  with  these  points  represent  fairly  the  true  reliability.  The  following  table  shows 
the  reliabilities  of  the  programs  P  and  Q  restricted  to  the  test  set,  using  the  definition  with 
different  values  for  a,  and  with  the  uniform  distribution  on  the  set  {200n  |0^n<49,  n  e  N}. 


a 

R[a,p,S](P) 

R[a,p,S](Q) 

1 

.020 

.100 

10 

.020 

.144 

100 

.063 

.181 

1000 

.171 

.227 

10000 

.328 

.289 

100000 

.511 

.366 

1000000 

.707 

.462 

10000000 

.912 

.582 

100000000 

.991 

.727 

As  one  would  expect,  the  table  reflects  the  fact  that  the  finite  Taylor  polynomial  is  an 
asymptotically  poorer  approximation  than  the  iterated  power  method.  (Here,  both  programs 
were  written  in  C  and  run  under  UNIX  version  4.2  BSD  on  a  VAX-11/750.)  The  table  shows 
that  Q  generates  fewer  discrepancies  than  P,  since  when  a  =  1,  Q's  reliability  is  greater.  It 
shows  that  these  discrepancies  must  be  of  greater  total  magnitude  though,  since  when 
a  ^  10000,  Q  is  less  reliable  by  our  definition.  In  addition,  it  shows  that  in  both  cases  there 
are  many  discrepancies,  since  when  a  =  1,  the  reliabilities  of  both  P  and  Q  are  low.   n 

Chir  final  example  is  of  a  situation  in  which  the  input  domain  is  governed  by  a  form  of 
Pareto  distribution. 


10 


Example  4 

Let  S  be  a  specification  of  a  program  to  compute  income  tax,  to  the  nearest  dollar,  when 
given  as  input  an  adjusted  gross  yearly  income,  also  to  the  nearest  dollar.  Suppose  that  there 
are  two  programs,  P  and  Q,  written  to  satisfy  S,  and  that  it  has  been  determined  that  neither 
is  correct.  In  fact,  we  assume  that  it  has  been  determined  that  the  programs  are  incorrect 
according  to  the  following  patterns  : 


Pin)  = 


Qin)  = 


S{n)  +  50  if  n  M  10000  +  lOJt  1 1  <  Jt  <  2000  } 

sin)  +100  if  n  e  {  30000  +  lOOk  1 1  s  jfc  <  99700  } 

5(n)  otherwise 

S(n)  +  1  if  1  s  n  <  10000 

sin)  +  5  if  10000  <  n  s  20000 

sin)  +  10  if  20000  <  /i  i:-  30000 

5(n)  otherwise 


The  operational  distribution  is  given  by 

0 

5(2)-^  •  lO-' 


P(«)  = 


1-2 


10^ 


if  n  =  0 


if  n  >  0 


where  {(5)  is  the  Riemann  zeta  function  of  s,  for  s  >  1,  which  is  defined  by  : 

i-l   AT 


We  compute  the  a-reliabilities  of  P  and  Q  : 

1       (  2^ 
R[a,p,S]iP)=    l-j-\    : 

=    1-  ^-  (?(2)-il0-^) 


20000  30000  "^ 

X    pin)  ■  min(a,50)  +      ^    pin)  ■  min(a,100) 


n -20001 


20 


1000 


1000 


100 


2^^min(a,50)   +    2    ^ 
U-i    k-  k-i  k- 


min(a,100) 


.    1-1 
a 


[l596.2  •  min(a,50)   +   28.38  ■  min(a,100)] 


~    1  - 


UO^TT^J 

6079_  .  ri596  2  .  min(ct,50)   +   28.38  •  rain(a,100)] 


a  •  10 


and 


/•lOOOO  20000  30000 

R[a,p,S]iQ)=    I-  ^  ■  \^pin)Tmnia,l)+    ^    p(n)  •  min(a,5)  +     2    pin)  ■  nnnia,10) 
a       {„.i  n-10001  n-20001  J 

flOOOO  20000     .  30000      - 

=    1-  1-  U(2)-^-  10-^|-    5;  min(a,l)  +    2     |min(a,5)  +     2     ^-minCa,! 
ay  ^   U-1  i-10001^  i-20000i=' 


11 


a 


_i_j  .  |io4   +    i^  .  „in(a,5)    +    -l|i  .  min(a,10) 


^    1  _  .16079  .  ^1  0000   +   0.2500niin(a,5)   +    .llllniin(a,10)] 


The  above  functions  may  be  defined  piecewise  as  follows  : 
R[a,p,S]{P)  - 


.9012  if  a  s50 

.9983  -  '4.852a-i    if  50  <  a  <  100 

1.000  -  5.024a-^     if  100  <  a 


R[cL,p,S]{Q)^ 


.7805  -  .6079-0-1    if  a  <  5 
.325  -  1.368a-i      if  5  <  a  <  10 
1.000  -  2.043a-i    if  10  <  a 


By  solving  the  inequalities  we  see  that  when  a  ^  20,  the  reliability  of  P  is  greater  than  that 
of  Q,  while  when  a  &  21,  Q  is  deemed  more  reliable  than  P.  In  particular,  we  show  some 
results  for  selected  values  of  a  : 


a 

R[a,p,S](P) 

R[ci,p,S](Q) 

1 

.901 

.173 

10 

.901 

.796 

20 

.901 

.898 

50 

.901 

.959 

100 

.950 

.980 

The  preceding  examples  demonstrate  that  the  relative  reliabilities  of  P  and  Q  are 
governed  by  the  choice  of  a.  Hence,  the  choice  of  a  should  be  guided  by  the 
characterization  of  reliability  desired.  That  is,  one  would  decide  upon  the  extent  to  which 
reliability  should  measure  the  "sizes"  of  errors  and  the  frequency  of  errors.  Therefore,  one 
is  certainly  able  to  characterize  many  notions  of  reliability  within  this  family  of  reliability 
measures.   In  fact,  one  can  show  that : 

Lemma  5:  Given  any  specification  S,  probability  function  p,  and  a  s  1,  there  are  programs 
Q  and  Q'  such  that 

R[a,p,S](Q)  >  R[a,p ,S](Q')  but  R[a' ,p ,S]{Q')  <  R[a' ,p,S]iQ')   whenever  a'  >  a     n 


Measuring  Reliability 

It  is  true  that,  since  8^  is  not  a  computable  functional,  R[a,p,S]  is  not  a  computable 
functional.  However,  we  do  not  let  this  fact  prevent  us  from  using  the  definition  to  model 
reliability.  In  general  we  hope  to  measure  reliability,  and  applying  the  definition  clearly  falls 


-  12- 

short  in  this  respect.  However,  this  is  not  an  uncommon  situation  in  mathematics.  For 
example,  although  the  definition  of  the  definite  integral  falls  short  in  much  the  same  way, 
we  don't  let  that  stop  us  from  calculating  integrals. 

In  order  to  discuss  using  the  definition  we  must  clarify  some  technical  points  about 
computable  functions.  Recall  that  the  range  of  any  partially  computable  function  in  our 
model  is  a  subset  of  the  natural  numbers.  Whenever  p  is  a  rational  number,  what  we  mean 
by  the  statement  that  program  P  computes  P(n)  =P  is  that  if  3  =  q/r  where  gcd(q,r)  =  1, 
then  the  output  of  program  P  on  input  n  is  the  number  <q,r>  for  some  pairing  function 
<  ,  > .  When  we  say  that  a  real-valued  function /is  computable,  we  mean  that  whenever  yf"^ 
is  irrational  we  can  use  an  algorithm  for  /  to  compute  an  arbitrarily  close  rational 
approximation  to  f(n).  More  formally,  we  say  that  there  is  a  total  function,  o:  N  -  R,  such 
that  o(m)  -  0  as  m  -  «,  and  a  rational  computable  function  /:  N  x  N  -  Q,  such  that 
(i n.m  i  N)  (I/(n,m)  —  f(n)  \<  o(m)  ).  It  is  in  the  above  sense  that  we  will  mean  that  a 
function /is  a  computable  real  function. 

Suppose  that  we  must  determine  the  reliability  of  a  program  P  with  respect  to  its 
specification  S  in  a  given  environment.  We  choose  some  finite  set  T  of  values  from  the 
domain  D  of  S  and  we  use  these  values  as  program  inputs.  Assuming  that  we  can  determine 
the  values  S(t)  and  P(t)  "  for  each  t  selected,  we  can  measure,  for  any  a,  the  a -discrepancies 
that  arise.  We  must  then  assign,  for  each  t  €  T,  a  "weight",  Pf{t),  corresponding  to  the 
probability  that,  in  any  sample  space  of  size  |T  I ,  t  occurs  as  an  input  to  P,  in  such  a  way  that 
the  reliability  of  P  when  restricted  to  T  will  equal  its  reliability  over  the  full  domain.  How 
can  we  arrive  at  such  an  assignment? 

If  we  choose  the  set  T  independently  of  any  knowledge  of  the  operational  distribution 
of  the  inputs,  then  we  must  impose  a  distribution,  given  by  pj-,  on  the  set  T.  If  we  have  some 
knowledge  of  the  actual  distribution  then  we  may  be  able  to  approximate  it  on  T  in  such  a 
way  that  T  can  "stand  in"  for  the  full  domain.  For  instance,  suppose  that  y  =  ^  pit),  where 

liT 

p(t)  is  some  approximation  to  p(t).  Then  we  can  sci  pj-(t)  =  pit)/y  for  t  €  T,  and pj-(t)  =  0 
otherwise.   If  we  have  no  knowledge  oi  p,  then  we  can  simply  setpj{t)  =  y\T\. 

If  we  specifically  choose  the  set  T  to  represent  the  operational  distribution  of  the  full 
input  domain,*  then  the  weights,  pjit),  are  implicitly  incorporated  into  the  choice  of  T,  and  a 
different  action  is  now  required.  It  is  then  sufficient  to  treat  T  as  a  uniformly  distributed  set. 
This  is  done  implicitly,  for  example,  in  the  Nelson  model  [18],  where  random  test  cases  are 
selected  from  each  of  the  cells  of  a  partition  of  the  input  domain.  Thayer  et  al  [18]  show  that 
this  produces  an  unbiased  estimator  of  the  actual  reliability,  where  the  definition  of  reliability 
they  use  is  a  variant  of  a  special  case  of  ours  (with  a  =  l  and  under  a  finite  domain).  Brown 
and  Lipow  provide  an  excellent  discussion  of  some  techniques  for  selecting  test  data  to 


+  We  can  not,  in  general,  determine  algorithmically  whether  or  not  P(t)4  so  that  we  cannot  always 
deterniine  P(t);  however,  in  many  cases  it  is  possible  for  us  to  conclude  this  or  make  an  educated  guess 
about  it. 
t  For  example,  by  choosing  the  inputs  at  random  according  to  the  probability  function  p. 


-13- 

approxiraate  the  operational  distribution,  and  provide  a  quantitative  measure  of  the  degree  of 
approximation  [2]. 

In  any  case,  the  function  pj  should  be  computable  if  we  are  to  use  it  in  actual 
calculations.  Furthermore,  it  should  be  a  rational  function,  since  otherwise  we  would  have  to 
approximate  its  irrational  values  rationally.  Given  these  assumptions  about  the  probability 
function  pj,  the  question  arises  as  to  whether  we  can  actually  raeasuire  the  exact  reliability  of 
an  arbitrary  program  with  respect  to  its  specification  and  its  operational  distribution.  Stated 
more  formally,  given  a  specification  S,  distribution  p  of  its  input  domain,  and  program  P, 
does  there  exist  a  finite  set  T  and  a  rational,  computable  distribution  pj  satisfying  pj{t)  =  0 
if  X  ^  T,  such  that  for  any  a  6  N  R[a,p,Sj(P)  =  R[a,/>j-,S](P)  ? 

A  result  of  mostly  theoretical  interest  is  that,  for  those  specifications  which  do  not 
constrain  their  domains  to  be  finite  and  which  have  infinitely  many  p-possible  inputs,  the 
answer  is  negative.  We  show  that  if  we  have  a  specification  S  such  that  there  are  infinitely 
many  elements  n  of  its  domain  for  which  p(n)  >  0,  and  that  if  p  is  computable,  then  we 
cannot  hope  to  compute  the  exact  reliability  of  an  arbitrary  program  using  a  finite  set.  We 
prove  : 

Theorem  6:  Let  S  be  a  specification  with  domain  D,  let  p  be  a  computable  probability 
function  such  that  D'  =  {n  €  D  |  p(n)  >  0  }  is  infinite,  and  let  a  ^  1.  Then  there  is  a 
program  Q  such  that  for  any  finite  set  T  and  any  rational  probability  function  pj-  such  that 
Pj{n)  =  0  whenever  n  ^  T, 

R[a,p,S](Q)*R[cL,pr,S]{Q) 

proof 

The  proof  uses  some  elementary  results  from  number  theory.  The  idea  is  to  construct 
effectively  a  subset  of  elements  of  D'  such  that  the  probability  of  this  subset  is  an  irrational 
number.  This  will  be  possible  as  a  result  of  a  sequence  of  lemmas  we  prove  in  the  appendix. 
We  then  use  this  construction  to  produce  a  program  Q  whose  reliability  is  irrational. 

The  following  is  the  needed  lemma  : 

Lemma  11  :  Let  D  Q  N  be  an  infinite  computable  set.  For  any  computable  probability 
function  p  for  which  p(n)  >  0  infinitely  often  for  n  ^  D,  there  exists  a  computable 
characteristic  function  x  such  that  ^    p{'t)x(n)  is  irrational. 

nC.V 

This  follows  from  Lemma  10  of  the  appendix. 

Recall  that  we  assume  D  to  be  a  computable  set.  Since  p  and  D  satisfy  the  conditions  of 
Lemma  11,  there  exists  a  computable  characteristic  function  x  such  that  2  P(")  '  xC")  is 

n€.V 

irrational.   We  define  a  program  Q  as  follows: 


Q(n)    = 


Sin)  +  a  ■  x(n)     if    5(n)i 

00  if    5(n)T   A   xC")  =  0 

0  if    [5(n)t   A    x(n)  =  1]   v   n  €  f/ 


-  14  - 

Clearly  Q  exists,  since  the  function  it  computes  is  partially  computable.    Recalling  that 
5g(n)  =  S{n)  if  n  €  D  and  Q(n)  otherwise,  it  follows  that 

OfniN)  \  Qin),SQ(n)  I,   =    «  •  xC") 
Hence, 

R[a,p,S]iQ)    =    2p(n)l  G(n),5c(n)  |„ 


ln«.V  ) 


is  irrational.  Since  no  finite  sum  of  rational  numbers  can  equal  an  irrational  nimiber,  for  any 
finite  set  of  numbers,  T,  and  any  probability  function  p-j-  such  thatp;-  is  rational  andpj(n)  = 
0  for  t  ^  T,  we  must  have 

R[a,p,S]iQ)   ^   R[oi,Pr,S](Q) 

This  completes  the  proof  of  the  theorem,  n 

There  is  a  well  known  result  in  the  theory  of  software  testing  [8]  that  for  any 
specification  S  and  program  P  there  exists  a  finite  test  set  T  such  that  if  we  can  effectively 
decide  for  each  t  ^  T  whether  or  not  P  halts  on  t,  then  P  is  correct  on  T  if  and  only  if  P  is 
correct  on  all  of  D,  where  D  is  the  domain  of  S.  The  preceding  theorem  shows  that  this 
statement  cannot  be  generalized  in  terms  of  reliability.  Correctness  is  the  special  case  when 
R[a,p,S](P)  =  1  for  any  choice  of  o  and  any  probability  function  p.  Thus  one  might  have 
hoped  to  say  that  for  any  specification  S,  any  program  P,  and  any  distribution  p  of  the  input 
domain,  there  exist  a  choice  of  a  and  a  finite  set  T  such  that 

R[a,p,S]{P)    =   R[oL,pj  ,S]iP) 

where  pj-  defines  any  (rational)  distribution  that  is  zero  for  n  ^  T.  This  theorem  shows  that 
this  statement  is  false. 

Summary 

We  have  presented  a  mathematical  definition  of  program  reliability  that  applies  to 
programs  whose  specifications  are  partially  computable.  It  is  not  a  computable  definition,  in 
that  it  assumes  the  existence  of  an  algorithm  to  determine  of  each  input,  whether  or  not  the 
computation  on  that  input  ever  halts;  nonetheless,  it  serves  as  a  model  to  approximate. 

The  definition  is  parametrized  by  two  parameters:  an  integer  which  can  be  used  to 
impart  a  notion  of  accuracy  of  computation,  and  a  distribution  characterizing  the  input 
domain.  Rarely  is  the  latter  known  precisely. 

We  believe  that  the  definition  provides  a  theoretically  sound  measure  of  reliability,  and 
claim  that  several  previously  published  time-independent  definitions  of  reliability  are  special 
cases  of  this  definition.  Furthermore,  we  show  that  the  definition  can  be  approximated  if 
enough  information  is  available,  and  that  an  important  aspect  in  the  measurement  of  software 


-15- 

reliability  is  the  determination  of  the  operational  distribution  of  the  subject  software.  We 
have  also  shown  that  infinite  domains  pose  particular  problems  in  that  there  does  not 
necessarily  exist  a  method  to  measure  the  exact  reliability  of  a  program  for  which  there  are 
infinitely  many  possible  inputs  specified. 

One  possible  generalization  of  this  definition  of  reliability  would  be  to  include  a 
measure  of  the  cost  of  an  error  (although  this  is  reflected  to  some  extent  by  the  use  of  a 
which  allows  the  discrimination  between  "big"  and  "small"  errors).  Also,  since  the  lack  of 
data  and  studies  about  operational  profiles  is  frequently  a  stumbling  block  in  the  study  of 
reliability,  we  suggest  that  such  data  be  collected  in  an  organized  way,  and  that  we  begin  to 
characterize  some  of  the  problems  we  encounter. 

Acknowledgment 

The  authors  thank  Phyllis  G.  Frankl  for  her  helpful  comments.  They  also  thank 
Professor  Martin  Davis  for  his  helpful  suggestions  about  the  treatment  of  computable  real- 
valued  functions,  and  Professor  Thomas  C.  Wesselkamper  for  his  critical  review  and 
recommendations . 


16 


References 

1.  B.  W.  Boehra,  J.  R.  Brown,  and  M.  Lipow,  "Quantitative  Evaluation  of  Software 
Quality",  Proceedings  of  the  Second  International  Conference  on  Software  Engineering. 
San  Francisco  CA,  October  1976,  pp.  592-605. 

2.  J.  R.  Brown  and  M.  Lipow,  "Testing  for  Software  Reliability",  Proceedings  of  the 
International  Conference  on  Reliable  Software.  Los  Angeles  CA,  April  1975,  pp.  518- 
527. 

3.  Martin  Davis,  Computability  and  Unsolvability.  Dover  Publications, Inc.,  New  York, 
1982. 

4.  M.  D.  Davis  and  E.  J.  Weyuker,  Computability,  Complexity,  and  Languages.  Academic 
Press,  New  York,  1983. 

5.  Amrit  L.  Goel,  "A  Guidebook  for  Software  Reliability  Assessment",  Technical  Report 
No.  83-11,  Syracuse  University,  Syracuse  NY,  April  1983. 

6.      ,  "A  summary  of  the  discussion  on  'An  analysis  of  competing  software 

reliability  models,'"  IEEE  Transactions  on  Software  Eng.,  Vol.  SE-6,  No.  5,  Sept.  1980, 
pp.  501-502. 

7.  Herbert  Hecht,  "Mini-Tutorial  on  Software  Reliability",  Proc.  COMPSAC80,  IEEE, 
Chicago,  1980,  pp.  383-385. 

8.  William  E.  Howden,  "Reliability  of  the  Path  Analysis  Testing  Strategy",  IEEE 
Transactions  on  Software  Eng.,  Vol.  SE-2,  No.  3,  Sept.  1976,  pp.  208-215. 

9.  A.  lannino,  J.  D.  Musa,  K.  Okumoto,  and  B.  Littlewood,  "Criteria  for  Software 
Reliability  Model  Comparisons",  IEEE  Transactions  on  Software  Eng.,  Vol.  SE-10,  No. 
6,  Nov.  1984,  pp.  687-691. 

10.  IEEE  Standard  Dictionary  of  Electrical  and  Electronic  Terms,  second  edition,  IEEE,  New 
York,  1977. 

11.  B.  Littlewood,  Comments  on  Moranda's  Critique,  1979,  22  pp. 

12.  W.  H.  MacWilliams,  "Reliability  of  Large  Real-Time  Control  Software  Systems", 
Record  1973  IEEE  Symposium  on  Computer  Software  Reliability,  New  York,  April  1973, 
pp.  1-6. 

13.  P.  B.  Moranda,  "Comments  on  :  'An  analysis  of  competing  software  reliability  models  ' 
:  G.  J.  Schick  and  R.  W.  Wolverton,"  1979,  42  pp. 

14.  C.  V.  Ramamoorthy  and  Farokh  B.  Bastani,  "Software  Reliability  •  Status  and 
Perspectives",  IEEE  Transactions  on  Software  Eng.,  July  1982,  pp.  354-371. 

15.  G.  J.  Schick  and  R.  W.  Wolverton,  "An  analysis  of  competing  software  reliability 
models,"  IEEE  Transactions  on  Software  Eng.,  Vol.  SE-4,  No.  2,  Mar.  1978,  pp. 104-120. 

16.     ,  "An  examination  of  some  of  the  questions  raised  regarding  the  paper  'An 

analysis  of  competing  software  reliability  models,'  a  rebuttal,"  1979,  19  pp. 


-  17  - 

17.  Martin  L.  Shooman,  Software  Engineering.  McGraw-Hill  Book  Company,  New  York, 

1983. 

18.  T.  A.  Thayer,  M.   Lipow,  and  E.   C.  Nelson,  Software  Reliability.    TRW  Series  of 
Software  Technology  2,  North-Holland  Publishing  Co.,  New  York,  1978. 

19.  Harry  N.  Wright,  First  Course  in  Theory  of  Numbers.  John  Wiley  &  Sons,  Inc.,  New 
York,  1958. 


-18- 

Appendix 

We  include  here  the  complete  proof  of  Theorem  12: 
DerinitloD  :  A  Simple  Continued  Fraction  (SCF)  is  an  expression  of  the  form 

«i  +  —. (5) 

-:+  1 


ai  + 


a,+ 


in  which  a^  €  Z,  the  set  of  integers,  and  a,  C  Z     for  i  >  1,  and  which  does  not  necessarily 
terminate.  If  the  number  of  terms  in  a  SCF  is  finite,  it  is  called  a  finite  SCF,  otherwise  it  is  an 
infinite  SCF. 
Notation  :  We  denote  a  finite  SCF  of  the  form  (5)  by  (0^,02,  •  •  •  ,a„)  or  by 

_J 1_     .  .  .     J_ 

ai+     02+  a„ 

and  an  infinite  SCF  by  (a  1,02  >  •  •  •  )  or  by 

_1 1_ 

ai+      02  + 

CoDvention         Suppose    x    =     (0^,02,  •  •  ■  ,a„).     It    is    not    hard    to    see    that    x     = 

(flijfl;,  ■  ■  ■  .Or"!)  1)  ^so.  However,  by  requiring  that  a„  >   1  in  any  finite  SCF  with  n 

terms,  we  establish  a  canonical  form,  and  we  adhere  to  that  form  here. 

Lemma  6  :  To  each  rational  number  x  there  is  a  unique  finite  SCF  (0^,02,  •  •  •  ,a„)  in 

canonical  form  such  that  x  =   (a  1,02.  "  "  '  .^n)-    Conversely,  each  such  SCF  represents  a 

unique  rational  number. 

Lemma  7  :  A  number  x  is  irrational  if  and  only  if  there  is  an  infinite  SCF  (0^,02,  •  •  •  )  such 

that  X  =  (01,02.  ■  ■  ■  )•  (  We  omit  the  necessary  proofs  of  convergence  here.)  In  this  case 

also,  the  correspondence  is  unique. 

The  next  lemma  is  easily  proved  by  induction  on  the  value  of  k. 

Lemma  8  :  Let  p  =  (0^,02,  ■  ■  •  .Ojk-i,  jj  and  q  =  (ai,fl2'  '  '  "  >°i-i»  h)^  where  Jj  and  r^  are 
rational  numbers,  and  a,  ^  Z     f or  i  =  2,3,.. .,k  -  1.   Then 


[p<q\<>  [{h-s,){-\y<o\ 


Lemma  9  :  Let  x  =  (a  1,02.  '  '  '  ^°n)^^  ^ny  rational  number.  Then  there  is  a  number  5  >  0 
such  that  whenever  0  <  q  <  ^  then  x  +  q  has  no  fewer  than  n  +  1  terms  in  its  canonical 
SCF.   Moreover,  ^  can  be  obtained  recursively  from  x. 


-19- 

proof 

Let  ?  =   (fli.fl:,  •  •  •  ,a„  +  (-1)"^^)  "  x.  Then  since  (a„  +  (-1)"^^)  -  aJC-l)"  =  -1  it 

follows  by  Lemma  8  that  x  <  x  +  4- 

Let  y  =  (a|,a;,...,ai_i,ii,ijt  +  i,fci+;,. ..,*„)  where  1  s  k  s  n  and  a^¥^b;^  and  otherwise  the  b, 

are  arbitrary  positive  integers,  except  that  b„  >  1. 

For  1  <  k  <  n,  let 

a.   = 


1 

•  + 

1 

On 

1 

•  + 

1 

1 

ai+i  + 

ak+2  + 

a„  +  (-l)-^ 

1 

•  + 

1 

1 
b„ 

Pi  = 

and  let  a„  =  p„  =  0  and  a' „  =  (-l)""*"^.   Note  that  for  fc  <  n,0  <  ai^,a\,^^,  <  1  and 

a:  +  4  =  (ai,fl2,--,ai  +  a'i) 

y  =  (ai,a:,...ii  +  PJ 

f or  1  <  k  ^  n. 

Applying  a  corollary  of  Lemma  8  repeatedly: 

Case  1  :  k  even,  k  <  n 

i^  <  flj   =>   fej  +  Pjj  <  flj  <  fli  +  a'i 

=>  (fli,a2.  •  •  •  .fli  +  ot'i)  <  (fli.fl:.  •  •  •  .*i  +  Pi) 

=>  -t  +  4  <  >-. 

fli  <  *i    ^  (fli  +  tti)  <  ^  <  (h  +  Pi) 

=>  (ai,a2.  •  •  ■  A  +  Pi)  <  (^1,02.  •  •  •  .^i  +  "i) 

=>  y  <  X. 

Hence,  in  case  k  is  even  and  k  <  n,  a^  #  fc^  implies  y<x  orx  +  4<y. 
Case  2  :  k  odd,  k  <  n 

b^<a,    =>    (b,  +  Pi)  <a,<  (a,  +  a,) 

.     =>    ia,,a2,  ■  ■  ■  ,b^  +  3J  <  (0,^,02,  •■,04  +  aj 
^   y  <  X. 
a,<b,    =>    (a,  +  ol\)  <b,<  {b,  +  PJ 

=>    (fli.fli.  •  ■  •  .fli  +  a'i)  <  (a-.A:.  "  •  •  .*i  +  Pi) 


20 


Hence,  in  case  k  is  odd  and  k  <  n,  a^  *  b^  implies  y<xorx  +  4<y. 
Thus,  ifxsy^x  +  4  then  if  y  =  (ii,*:.  '  *  *  .*«).  we  must  have  6,  =  a,   for  i  =  1,2, 
...,n-l. 

Consider  the  case  that  y  =  (01,02.  '  '  '  »fln-i.*n)-   By  Lemma  8, 

y<x  +  k    <.    (a„  +  (-l)''*l-6j-(-l)''<0 

o    (a„-i„)-(-ir<l 

o  K-ij(-i)"so 

This  shows  that  regardless  of  the  value  of  b,  either  y  ^  x  or  x  +  ^  s  y.  It  should  be  clear 
that  if  y  =  {01,0-,  •  ■  •  ,fli)  and  k  <  n  then  if  k  is  even,  x  +  4  <  y.  and  if  k  is  odd,  y  <  x. 
Together,  the  preceding  results  show  that  there  is  no  SCF  with  fewer  than  n  +  1  terms  which 
lies  in  the  interval  (x,  x  +  ^).  This  proves  the  lemma.     □ 

L«mma  10  :  Let  D  =  {^yj/.o  ^^  ^  infinite,  computable  subset  of  N.  Let  11  =  {Prf}"  q  be  an 
infinite  sequence  of  positive  rational  numbers  such  that  lira/7^  =0.   Then  there  is  an  infinite 

X 

subset,    S  =  {".ir-o  i"  ^^  ^^^^  ^^^  2Pn   's  irrational.    Moreover,  if  p„  is  a  computable 

y-o    ^ 

function  of  n,  then  the  characteristic  function  Tj  of  S  is  computable  and 

y-0      '  n-O 

proof 

For  any  rational  number  x  let  ^(x)  be  the  number  obtained  by  lemma  10.  Let  ^c|y  be  the 
number  of  terras  in  the  SCF  representing  x.  If  x  is  irrational  then  \x\ ^  =  ».  We  define  a 
function  a  on  N  by 

ct(0)  =  min^  [d  i  D] 

(  '  ) 

a(j  +  l)  =  min^    Pj  <  ?  X  P.U)     ^  [  '^  >  ''(O  ]  A  [  d  €  D] 


Since  the  sequence  {p^  }  is  infinite,  positive,  and  tends  to  zero  ,  for  each  number  d  we  are 
guaranteed  to  find  a  d  6  D  such  that  p^  is  as  small  as  required.  Thus  the  miniraalization  is 
total,  and  since  a  is  otherwise  obtained  from  computable  functions,  a  is  (totally)  computable. 

Clearly,  ct  is  a  strictly  increasing  function,  so  that  if  5  =  {  (t{\)  |  i  €  N},  then  S  is 
infinite,  S  C  D,  and  by  a  standard  result  of  computability  theory,  5  is  a  computable  set.  Set 
n.  =  (j(J)  for  all  j.   Let  F^  be  the  charaaeristic  function  of  S,  i.e., 


-21- 


Then  F^  is  a  computable  predicate,  and 

XPn,     =      ^Pn   ■   r^Cn) 

y-0     ■'  n-O 


Let 


T„   =    a  Pj-  TjO)    and    T  =   IiraT„ 
j-o  ""* 

We  claim  that  t  is  irrational.  Consider  the  SCF  representing  t.  By  our  construction  of  the 
function  a,  and  by  Lemma  9, 


n  < 


so   clearly,    as   n   -   <»,    the   length   of  the  SCF  of  t„   increases  without  bound,   hence 
I  T  L  =  |lim  T„  !/=«>,  which  proves  that  t  is  irrational,    n 


n 

n  +  l 

y-0     ^ 

/  < 

S   Pn, 

This  book  may  be  kept 

FOURTEEN    DAYS 

A  fine  v.-ill  be  charged  lor  each  day  the  book  is  kept  overtinie. 

i 

1 

1 

1 

CAVLORD   142 

PRINTED   PN  U    S   * 

.  « 


V 


«--^^ 


NYU   COMPSCI    146    c.2 
Weiss,    Stewart   N 

A  time-independent 
definition  of 


1 

NYU  COMPSCI    146    c.2 
;,        Weiss,    Stewart  N 

—       A  time-independent 
definition  of 

DATE   DUE 

BORROWERS    NAME 

N.Y.U.  Courant  Institute  of 
Mathematical  Sciences 

251  Mercer  St. 
New  York,  N.  Y.    10012 


